Cyber Security Intelligence

Twitter< Follow on Twitter >

January Newsletter #3 2015

Dark Web thrives despite Operation Onymous

There is a part of the web that is still hidden from the majority of the Internet users, a so-called dark web that cannot be found by conventional search engines or accessed by standard browsers.

Parts of the dark web reside on the Tor network, which, thanks to its nigh untraceable user anonymity, is a fertile breeding ground for cyber-criminals and illicit dealings. It is the ideal environment for an online illegal goods black market that sells everything from drugs and weapons to hitmen and hacking attacks for hire.

The dark web is a section of the Internet that is not indexed by search engines such as Google and not easily navigated to using a standard web browser.

Accessing the dark web requires specialised knowledge and software tools. An example of this is content that only accessible by using the Tor software and anonymity network, which while protecting privacy, can be associated with illicit activities.

These specialised black markets are flourishing in this nefarious corner of the Internet; criminals are developing points of aggregation where buyers and sellers can operate in anonymity and benefit from escrow services offered by the operators.

Names such as Silk Road (and its successor, Silk Road 2.0), BlueSky Marketplace, Pandora Marketplace, Tor Bazaar Alpha and Cannabis Road have become hugely popular in the criminal ecosystem.

Law enforcement and judicial agencies worldwide have coordinated their efforts against illicit dark web markets on the Tor network. An impressive FBI bust on 5 and 6 November, dubbed Operation Onymous, saw the closure of hundreds of websites operating on the Tor network. Its key achievement was the seizure of the black market Silk Road 2.0 and the arrest of its alleged manager, Blake Benthall.

Operation Onymous certainly had a significant impact, with well-known sites shut and levels of online illicit deals decreasing. However, security experts observed a rapid response from the criminal underground to the pressure exerted by law enforcement.

Data provided by the non-profit Digital Citizens Alliance Security suggests Onymous shifted the balance in favour of new and surviving black markets, which have now gained market share.
The criminal underground is also demonstrating significant capability to restore illegal activities by building new services. Through its monitoring, Digital Citizens claims it was tracking 18 dark networks at the time of the Onymous crackdown. That number was reduced to seven after Onymous but since then, five new sites have popped up to fill the void.

There are more threats to contend with than just the black markets. The dark web is an ideal environment for the spread of child porn and harbours botnets designed to steal credit card data.

Anonymising networks, and in particular the Tor network, are a powerful instrument in the arsenal of cyber-criminals to conduct illegal activities, such as the takeover of bank accounts. A US Treasury Department report states that the majority of bank account takeovers by cyber-criminals affecting organisations over the past decade exploited the anonymising Tor network.

Bad actors will explore even more the dark web to hide their identity and increase their business opportunities. This requires a significant effort from enforcers and private security firms: hacking techniques used to de-anonymise users have to be integrated with meticulous intelligence activities to infiltrate the principal criminal crews and identify their main operators on the dark web.

Critical Infrastructure: Hackers Successfully Target German Steel Mill

Hackers infiltrated a German steel mill and made it impossible to safely shut down a furnace, according to a German security report quietly published before the new year. The breach, which caused “massive” damage, marks just the second time a digital attack caused physical damage, highlighting growing fears that cyberwarfare will soon impact more than computers and networks.

Few specifics are provided in Germany’s Federal Office for Information Security report, first obtained by Wired, other than that the hackers obtained access via a spearphishing attack before quickly moving across a “multitude” of sensitive corporate networks. Who the hackers were, how long they were in the system, whether they intended to destroy the furnace and what, if any, other equipment they accessed all remains unclear.

“The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” said the German-language report, according to a Wired translation.

This hack comes after the U.S. and Israeli governments deployed the Stuxnet worm against the Iranian government, which is believed to have destroyed nearly one-fifth of the country’s uranium enrichment facilities used to make nuclear weapons. When that malware was discovered in 2010, cybersecurity experts warned that it would only be a matter of time before civilian infrastructure – like hospitals, banks, power grids or any number of possibilities – would be targeted by malicious actors.

“Countries realize that cyber espionage is a heck of a lot easier than anything else,” Chris Bronk, a former U.S. State Department official, told Ars Technica in 2012. “Now the question is: To what degree [will we have] malware that is designed to impact the physical world? When is that going to become a more widely utilized capability?”

Coming Soon. How Surveillance and Privacy will Overlap in 2025

When living a public life becomes the new default, what does privacy even mean?
That’s one of the central questions in a new report about the future of privacy from Pew Research Center, which collected the opinions of more than 2,500 experts in computer programming, engineering, publishing, data science, and related fields.

Some respondents told Pew they are confident that policymakers will, in the next decade, establish privacy rights that protect individuals from government and corporate surveillance. (In the United States, there are practically no protections for individuals against the companies and governments that track them.) But many others are pessimistic about the possibility that such a framework might come about in the next 10 years ago—or ever.

Experts agreed, though, that our expectations about personal privacy are changing dramatically. While privacy once generally meant, “I assume no one is looking,” as one respondent put it, the public is beginning to accept the opposite: that someone usually is. And whether or not people accept it, that new normal—public life and mass surveillance as a default—will become a component of the ever-widening socioeconomic divide. Privacy as we know it today will become a luxury commodity. Opting out will be for the rich. To some extent that’s already true. Consider the supermarkets that require you to fill out an application—including your name, address, phone number, and so on—in order to get a rewards card that unlocks coupons. Here’s what Kate Crawford, a researcher who focuses on ethics in the age of big data, told Pew:

‘In the next 10 years, I would expect to see the development of more encryption technologies and boutique services for people prepared to pay a premium for greater control over their data. This is the creation of privacy as a luxury good. It also has the unfortunate effect of establishing a new divide: the privacy rich and the privacy poor. Whether genuine control over your information will be extended to the majority of people—and for free—seems very unlikely, without a much stronger policy commitment.’

And there’s little incentive for the entities that benefit from a breakdown in privacy to change the way they operate. In order to get more robust privacy protections—like terms of service agreements that are actually readable to non-lawyers, or rules that let people review the personal information that data brokers collect about them—many experts agree that individuals will have to demand them. But even that may not work.

Where there’s tension between convenience and privacy, individuals are already primed to give up their right to be left alone. For instance, consider the Facebook user who feels uneasy about the site’s interest in her personal data but determines quitting isn’t an option because she’d be giving up the easiest way to stay in touch with friends and family.

That mentality is changing the way people think about their rights in the first place.

“By 2025, many of the issues, behaviors, and information we consider to be private today will not be so,” said Homero Gil de Zuniga, director of the Digital Media Research Program at the University of Texas-Austin, in the Pew report. “Information will be even more pervasive, even more liquid, and portable. The digital private sphere, as well as the digital public sphere, will most likely completely overlap.”

In other words, the conveniences of the modern world will likely dictate privacy norms. This is already happening all around us. As the media critic Mark Andrejevic points out to Pew, many people today treat email as though it’s equivalent to a private face-to-face conversation. It is not.

“We will continue to act as if we have what we once called ‘privacy,’” Andrejevic told Pew, “but we will know, on some level, that much of what we do is recorded, captured, and retrievable, and even further, that this information will provide comprehensive clues about aspects of our lives that we imagined to be somehow exempt from data collection.”

“We are embarked, irreversibly, I suspect, upon a trajectory toward a world in which those spaces, times, and spheres of activity free from data collection and monitoring will, for all practical purposes, disappear.”

Sony has a $60 million Cyber Insurance policy

Sony Pictures Entertainment holds $60 million in Cyber insurance with Marsh, according to documents leaked by the group claiming responsibility for the attack on the movie studio.
The documents, covered in detail by Steve Ragan at CSO, say that after was breached in 2011, Sony made a claim of $1.6 million with Hiscox, its Cyber provider at the time. The insurer declined to quote at renewal, so Sony Pictures turned to Lockton, which brokered a $20 million policy that included $10 million in self-insured retention.

Around April 1 of this year, Sony moved its Cyber policy to AIG, when it acquired $10 million in coverage. This policy, effective until April 1, 2015, overlaps with its existing coverage, Ragan writes. In May, the movie studio turned to a new insurance broker, Marsh, which reached out to Brit Insurance, Liberty International Underwriters, Beazley and other carriers to secure upward of $60 million in coverage.

Policy details say that the studio consolidated coverage with Sony Corporation of America, with a $5 million retention at an annual cost of $356,963. The policy includes security and privacy liability coverage, as well as event management, network interruption, cyber extortion and regulatory action.

Apple customers in the US and Canada can now buy the film for $14.99 via Apple’s digital media store, a move that at least extends the devices that you can watch it on to iOS, Apple TV and OSX. Other places it can be viewed or bought include Sony’s own site, YouTube, Xbox and Google Play.

Now the hackers who compromised Sony Pictures Entertainment’s servers, are releasing private files and emails to the public which detailed everything from the personal, financial and medical data of present and past employees and much more, are now threatening a “news media organization,” according to a new report. That organization may be CNN, based on information posted on anonymous sharing site Pastebin.

The Intercept today published a join memo from the FBI and the Department of Homeland Security it obtained which says the hacking group, known as the “Guardians of Peace,” have threatened to attack a U.S. new media organization, and the threat “may extend to other such organizations in the near future.”

The memo doesn’t state the news media organization by name, but instead references Pastebin messages that taunt both the FBI and “USPER2,” which is how the FBI’s memo referenced the news media organization. The memo only mentioned the news organization was mocked for the “‘quality’ of their investigations,” and an additional threat was implied.

Android Apps Collect Personal Data – But just how much may surprise you

A new study looking at how mobile Android apps track smartphone users has revealed some interesting facts about Android applications, InfoWorld reports, finding that many apps collect plenty of personal data in an attempt to track users online and serve them targeted ads in the process.

Two French organizations, including the French National Institute for Informatics Research (INRIA) and the National Commission on Computing and Liberty (CNIL), installed a monitoring app on Android phones belonging to 10 different people, encouraging them to use the handsets as they normally do.

For a three-month period, the volunteers collectively used 121 apps, with Mobilitics recording every time one of these apps accessed personal data, including location, identifier, photos, messages and other info. The app also tracked whether the data was transmitted to a server or not.

Almost two-thirds of apps accessed at least one identifier, 25% of them accessed at least two identifiers and a sixth of apps three or more, the study found. However, it’s not clear what kind of devices were used, or what Android OS version they were running.

Location accounted for 30% of all personal data accessed, with the study revealing some interesting numbers. For example, the Facebook app recorded one person’s location 150,000 times during the three-month period, or more than once per minute. The Google Play Store tracked a user’s phone 10 times per minute at certain times. One game recorded a user’s location 3,000 times while it was in use.

But the most amazing stat belongs to an unspecified default Android app made by Google, which checked a user’s location 1 million times in one month.

As the study reveals, it’s pretty easy for app developers to track users by simply looking at a phone’s Wi-Fi and/or Internet state, with the resulting data being enough for target advertising. Additionally, the data can be aggregated in order to profile users and their social networks even better.

UK Police Radios will be killed soon, but is 4G really the Solution?

In less than 18 months' time the police radio network will be switched off. There is no obvious replacement and the looming Omni shambles is turning into a bonanza for Arquiva, the only company brave enough to offer a solution.

Peter Neyroud CBE, former head of the National Policing Improvement Agency and now at the University of Cambridge lecturing in criminology told us: “They moved to do what they are doing far too late. I told Labour to get on with it in 2009.”

The British police and the other emergency services use a system called Airwave. This uses a technology called Tetra (Terrestrial Trunked Radio) which is half way between a mobile phone system and a walkie talkie. It’s an ancient technology and very poor at mobile data, which runs at 7.2kbs. There is a standard to boost that to 700kbps but it has never been implemented. Instead the plan is to replace it with 4G.

The new £1.2bn Emergency Services Network contract will replace the previous £2.9bn digital radio communications supplied by one company, Airwave.

Airwave revolutionised policing in many rural areas but more recently has been criticised for being too costly as it was set at a fixed price, with escalation, more than a decade ago. Peter Neyroud, who negotiated the initial contracts, told us that as police budgets have been squeezed and the cost of the Airwave contract has risen it’s become a more significant line item.

“It was never cheap,” said Neyroud, “but given what you were asking it to do it was always going to cost, “pointing out that it replaced a system of UHF and VHF that was incredibly patchy and unreliable.

Airwave was initially part of O2 but the company was taken over by Macquarie Group Limited, a private equity firm, and the prices to the emergency services reflected this. Neyroud told us that while the pricing was baked in from the start, Airwave doesn’t have much room to move as Macquarie ultimately has shareholders to service.

Devices made in low volumes for specialist use are also expensive. To those of us used to mobile phones, where you can get an Android device for under £100, a voice-only radio at thousands seems exorbitant. The plan to move to 4G sounds sensible but the people who actually use emergency communications have deep reservations.

So, keen to find something faster and affordable, the emergency services are looking to 4G. While Airwave does support full duplex, one of the most important features the emergency services want is push-to-talk, a walkie-talkie like service. And that is where the focus of making mobile fit for use by the emergency services has been.

There are systems in place to give emergency services priority but network congestion is still going to affect the ability of the backhaul infrastructure to cope. The Home Office issues licenses for the emergency services to set a bit on the SIM to enable MTPAS (Mobile Telecommunication Privileged Access Scheme), previously called ACCOLC (Access Overload Control), and still informally called that. There is a limited pool of MTPAS SIMs and the police force, which wants one has to get its mobile operator to fill in the paperwork for the Home Office to request it. The IMSI of the enabled SIM is registered with the network.


The full web site is currently under development and will be available during 2015